Fri Apr 8 06:49:41 PDT 2016
Management: Security awareness: What sort of enterprise security awareness program should the enterprise have?
Options:
Option 1: Initial awareness training for all employees
Option 2: Periodic security reminders.
Option 3: Guest lectures.
Option 4: Training sessions.
Option 5: Verified learning systems.
Option 6: Scenario-based policy awareness programs.
Option 7: Booklets, pamphlets, and posters.
Option 8: Document review awareness.
Option 9: Day-to-day awareness programs.
Option A: Department meetings.
Option B: Video-based awareness programs.
Option C: Scenario game awareness programs.
Option D: Badging and carding.
Option E: Stand-downs.
Option F: Communications-based awareness programs.
Option G: Award programs.
Option H: Social pressure programs.
Option I: Covert awareness programs.
Decision:
IF the enterprise is small and not publicly owned and a minimal program is desired, THEN use initial awareness training, periodic security reminders, and training sessions.
OTHERWISE use the table below to determine when to use which approach.
Use ALL that apply:
Situation | Technique |
Upon start of work for anyone |
Use initial awareness training. |
At least once every six months |
Use periodic security reminders. |
For large groups of highly skilled workers |
Use guest lectures. |
For personnel with access to medium or high risk systems or content |
Use training sessions. |
For distant or traveling individuals who cannot make local training sessions, |
Use verified learning systems. |
For cases where a wide range of possibilities exist and group cohesion is valuable, |
Use scenario-based policy awareness programs. |
For cases where standard approaches are widely used by large numbers of workers, |
Use booklets, pamphlets, and posters. |
At least annually, |
Document review awareness. |
When a security culture is desired, |
Day-to-day awareness programs. |
When periodic (usually monthly) department meetings are held, |
Department meetings. |
When large distributed audiences are involved, |
Video-based awareness programs. |
When complex policies are being implemented or social awareness is desired, |
Scenario game awareness programs. |
When badges are in use, |
Badging and carding. |
When circumstances dictate urgent and severe measures, |
Stand-downs. |
When emergency notification of ongoing or immediately concerning events are needed, |
Communications-based awareness programs. |
When a positive social benefit is emphasized for the security program, |
Award programs. |
When specific behaviors are expected of workers under specific security-realted situations, |
Social pressure programs. |
When trained behaviors are to be tested or reinforced unbeknownst to the workers, |
Covert awareness programs. |
The awareness program
Basis:
Awareness acts to ensure compliance and create identification with the protection process by providing the necessary information to be able to recognize key situations and respond to them in accordance with the enterprise plan. The total set of awareness programs used throughout the enterprise provides the content used to build an effective operational security process.
Initial awareness training for all employees
Initial briefings are required for all those who access
information within an enterprise setting. These briefings lay out the
specific things the user has to know in terms that they can act
on. Most employees get initial employee briefings through the HR
process when they first arrive to start work and this is an ideal
place to include the initial information protection briefing.
Periodic security reminders.
Periodic reminders are typically either in the form of posters,
banners, etc. or are in the form of required reviews of material,
displays of videos, email alerts, or other similar mechanisms.
Guest lectures.
Lectures are often used by large organizations with large
technical groups or other widely-attended venues as a means to bring
in high-quality experts to enhance internal programs.
Training sessions. Training sessions are
typically schedules in groups at a department or similar level
(typically 10-30 people) and are carried out by trainers who review
specific issues during each session. More effective programs include
some sort of feedback to assure that the training is effective at
least to the extent of demonstrating knowledge of the content of the
session.
Verified learning systems.
Computer-based awareness programs provide a limited way to test
for and track awareness of specific issues in specific audiences. As a
novelty it may hold interest for a time, but it rapidly becomes
drudgery and should only be used as part of a systematic effort
associated with specific enterprise needs that cannot be fulfilled
otherwise or as a verification of awareness given via other programs.
Scenario-based policy awareness programs.
Groups are sometimes formed for group processes associated with security issues. These processes can be designed to build up awareness programs, but the most effective and entertaining groups of these sorts for general security awareness tend to be those formed in awareness and training game group settings.
Booklets, pamphlets, and posters.
Posters and banners are sometimes used to keep up awareness
levels. While individual posters typically lose their effect in a few
weeks, it is not expensive to put up new posters every month as part
of an awareness program. Posters used in one facility can be rotated
to the next facility so that a dozen different posters purchased in
quantities of a few dozen each can be used to cover dozens of
facilities for a year.
Document review awareness. Document
review is required for all information the employee is required to
sign associated with the information protection program. Most people
don't read the documents they sign in office settings, so document
review is necessary in order to assure that they indeed understand and
agree to the terms involved.
Day-to-day awareness programs.
Day-to-day awareness is fostered by and fosters a properly protective
work environment and culture. A goal of the IP Lead should be to
create a culture of appropriate security through their overall
program, with a central focus of cultural change and maintenance
coming from the awareness program. A culture of security is not a
culture of fear.
Department meetings. Department meetings
are often used to promote security and bring out protection-related
issues. A fairly effective practice is for department meetings to
include a review of the security failures of the last month. The IP
Lead's awareness program should provide information for use in these
meetings to aid in its effectiveness. This typically includes:
A news story from the media that relates to employees directly, such as a story about someone losing their home after an identity theft cause bad credit,
A current or recent situation within the enterprise involving a security problem found and fixed or a situation that impacted a large number of employees,
Any changes to the protection program that have wide-ranging effects in the enterprise,
The introduction of any new awareness program or other item of interest, and/or
Any awards or reward programs associated with the security awareness program.
Video-based awareness programs.
Video-based awareness programs can be viewed by large audiences or
copied for large numbers of smaller audiences. If properly produced
with a combination of humor, social references, and examples, it can
be effective at conveying important messages in a way that causes high
retention of the high-level concepts. It can be repeated periodically
but becomes stale over time unless mixed in with other programs. It is
expensive to produce on your own but many such programs can be
purchased for nominal fees.
Scenario game awareness programs. Games,
typically couched as strategic scenarios and situation analysis, are
often used to create policies, work through issues, and understand
aspects of a space. But they have also been applied to awareness
programs. Typically, a game process is used by top management to
develop policies and situations that are then played out for awareness
programs by all levels of management and workers with an optional
outside facilitator.
Badging and carding. Badging & carding
systems are often associated with physical access controls but they
are also part of awareness programs. The programs should remind people
that when they encounter someone without a badge they should take
action. The specific actions should be identified and trained. The
presence and enforcement of badging and carding systems themselves are
also part of keeping people aware of security as an issue.
Stand-downs. Stand-downs have been used
in extreme circumstances to create awareness at a heightened
level. For example, government agencies have used stand-downs that
involve decertification of systems until they are repaired. They use
the repair period to do in-depth awareness programs for all employees
and contractors. In one case tens of thousands of employees were
involved in shut-downs during which awareness programs were used all
day every day to bring the seriousness of the security issues to
light.
Communications-based awareness programs.
Memos, emails, mass voice mails, internal FAXes, and similar corporate
communications are often used for awareness issues, particularly when
there is a critical time-sensitive issue that requires immediate
notice. This may be part of the emergency notification system of the
enterprise that is also used in disaster recovery and other
large-scale incidents. The use of these means for other aspects of
awareness tends to be less effective and has the side effect of
reducing the effectiveness of the emergency notification process by
making it less unusual.
Award programs. Award programs provide
ways to make information protection activities positive experiences
and generate social benefits to those who do these aspects of their
job well. Award programs can be run for a few thousand dollars per
year and typically include plaques or paper certificates, public
notice, notice at department meetings, free dinners for two at local
restaurants, or other similar items.
Social pressure programs. Social
pressure is applied by creating a culture that encourages secure
behaviors. For example, when someone unrecognized is in a workspace,
the employees who normally occupy that space should know to come over
and say hello, introduce themselves, and find out if they can help the
newcomer. If the newcomer is not forthcoming with useful information
about who they are, if they don't have a proper badge, or if they are
otherwise suspicious, the social environment should create the
response that ultimately leads to the individual being escorted out of
the facility, arrested, or otherwise handled. If this is the social
environment, security will be effective and people will be friendly,
but if it is not, penetration of the facility for long-term access
will be easily achieved and sustained. Creating a social awareness
program is a good foundation for the material included in the other
aspects of the awareness program and leads to both compliance and
identification with the desired protective behaviors.
Covert awareness programs. Covert
awareness programs have recently been noticed by advertisers and
adopted for selling. They involve surreptitiously planting individuals
within environments to create social changes. This may take the form
of someone who displays protective behaviors in conjunction with a
planted intruder, someone who creates a "buzz" around a new idea or
program, or someone who uses any of a wide range of other influence
tactics to move group behavior toward desired objectives.
Copyright(c) Fred Cohen, 1988-2015 - All Rights Reserved
|